httpd-users mailing list archives

Julien Gerhards wrote:
> Hi,
>
> I try to use mod_security but it doesn t filter anything !
> My vhostconf :
>
> <VirtualHost *:80>
> ServerSignature Off
> ServerName cache-ext
> ErrorLog logs/cache-ext_error.log
> CustomLog logs/cache-ext_access.log combined
> <IfModule mod_proxy.c>
> <LocationMatch "^[^/]">
> Deny from all
> </LocationMatch>
> <IfModule mod_rewrite.c>
> RewriteEngine On
> # RewriteCond %{REQUEST_URI} ^/img=(.+)$
> RewriteRule ^/img=(.+)$ $1 [L,P]
> RewriteLog /var/log/RewriteLog.log
> RewriteRule ^[/img=](.+)$ - [F]
> </IfModule>
> AllowEncodedSlashes on
> ProxyRequests On
> ProxyVia On
> <IfModule mod_disk_cache.c>
> CacheEnable disk /
> CacheRoot "/var/cache/mod_proxy"
> </IfModule>
> <IfModule mod_mem_cache.c>
> CacheEnable mem /
> MCacheMaxObjectSize 1024000
> MCacheSize 102400
> </IfModule>
> <proxy *>
> # deny from all
> </proxy>
> <proxymatch ^/img=(.+)$>
> allow from all
> </proxymatch>
> <IfModule mod_security.c>
> SecFilterEngine On
> SecFilterDefaultAction "deny,log,status:403"
> SecFilterDebugLevel 9
> SecFilterSelective macbidouille.com
> SecAuditLog logs/audit_log
> </IfModule>
> </IfModule>
> </VirtualHost>
>
> It should respond me an 403 error for every URL with a macbidouille.com in the URL.
>
> Any ideas?
>
Yes.
mod_security is not a standard Apache module. As the site for
mod_security (http://www.modsecurity.org/) states :
Community support is available on the
mod-security-users/lists.sourceforge.net mailing list. You must
subscribe first (by clicking here) in order to post. The list archives
are available as News (NNTP), Threaded HTTP, Bloggy HTTP, and RSS.
So I think you will have more chances there.
Apart from that, the above rule
RewriteRule ^[/img=](.+)$ - [F]
actually means :
for URLs starting with either one of the characters /,i,m,g or =,..
do the following..
I'm not quite sure that this is what you want.
And apart from that, for your original question which was that you only
want to "forward proxy" to some 100 selected and willing external sites,
I suggest that you have a look at this
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
the section entitled "RewriteMap Directive", and in there the part about
a plain text rewrite map.
I am not familiar with it, and have not tried it, but I would suggest
something like this :
- you have incoming URLs like :
/img=http://somewillinghost.company.com/some/path/some.jpg
- you want to forward-proxy these requests to the given willing site
"somewillinghost.company.com", and to 99 other similar willing ones, but
not proxy requests to "cia.gov.us" or the whole planet.
- so you want to do a RewriteRule that will do
RewriteRule "^/img=(.+)$" $1 [P,L]
but *only* if the target site in your list of allowed ones.
Fair enough ?
Then you would first create a small text file, for example
/etc/apache2/allowed-sites.txt
containing lines like
somewillinghost.company.com somewillinghost.company.com
someotherwillinghost.company2.biz someotherwillinghost.company2.biz
athirdhost.stillwilling.org athirdhost.stillwilling.org
etc... (all your willing targets)
then you would put the following directives in your httpd.conf :
RewriteMap willing /etc/apache2/allowed-sites.txt
RewriteRule "^/img=http://([^.]+\.[^.]+\.[^/]+)/(.+)$
http://${willing:$1 | some.bad.host}/$2 [P,L]
(the RewriteRule above is one line).
(some.bad.host is the "default value". If the right allowed host is not
found in your rewritemap file, then this hostname will be substituted.
That could be another virtual host on your server which always answers
"forbidden".
The idea is :
in the RewriteRule above, the first parenthesised group () matches the
hostname of the part after "img=" in the incoming URL, and becomes $1.
The part after the host is $2.
Then with $1 (the hostname), you find a match in the first column of
your text rewritemap file. If you find it, the whole expression
"${willing:$1 | some.bad.host}" is replaced by the content of column 2
(which is the same as column one, or as $1). So this call gets proxied
to the requested host.
If $1 does not match a line in your rewritemap file however, then
"${willing:$1 | some.bad.host}" is replaced by "some.bad.host", which
essentially leads nowhere (I have checked).
I have never tried something like the above, but it should be fun.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org